When things are managed automatically with good tools, they work. When people manage them, they often work. Here we talk about automation, managing systems, monitoring, discovery, open source, and related topics.

29 December 2009

Methods for relocating network connectivity

Methods for redirecting network connectivity

When a client talks to a service over a network, and the server providing the service fails, or the service needs to be moved for administrative reasons, what methods are available for redirecting network references to that service refer to a different server?

This post outlines the methods that I know of for doing this. But note the word redirect - that word is the key to all these methods. These different methods are ways of redirecting various layers in the networking stack. So let's first look at what happens for a normal IPv4 network connection over ethernet, and what all layers are involved, and what all places there are to redirect (or reroute) the network traffic to another server.

For simplicity's sake, we will ignore load balancers - both in hardware form, and DNS-level load balancers, and we assume a modern "switched" network.

Information Routing

What happens when a client establishes a connection to a service on a server?

Here is a brief synopsis of how connections get established.

The client is given or obtains from configuration information, bookmarks, etc. a name of the server running that service.

The client consults a DNS server to translate the server/service name into a 32-bit IPv4 address.

The client holds onto this name/IPv4 mapping in order to optimize future references to the server name. DNS lookup libraries normally do this themselves, but some applications also perform their own address caching.

The client then examines the IPv4 address, and determines which interface and gateway to send it out on on the basis of its local configuration and the IPv4 address itself.

The client OS then sends out an ARP packet to determine the 48-bit Media Access Control (MAC) address of the gateway, or the server itself, if the client and server are on the same subnet. It may have this MAC/IP correspondence cached from earlier packets it had received from the server.

The client OS sends out the packet to the MAC address determined in step 5 over the interface selected in step 4.

At some earlier time, the switch network will have "learned" which switch port the corresponds to the selected MAC address. It does this by observing which port sends packets for that given MAC address.

The switch network then routes the packet to the chosen MAC address on the subnet (this could either be the MAC address of the gateway or the server - as discussed earlier).

If the server is on the same subnet as the client, it receives the
packet and examines the packet to see if the destination IP
address is one it provides. If it does, then all is well. If it does not, then the
packet is dropped. So ends the "same subnet" case.

Assuming the server is not on the same subnet as the client...

The gateway receives the packet, and examines its routing table to decide where to route the packet to. This is determined by the routing protocol the gateway is running - for example, OSPF or BGP.

The "network cloud" routes the packet to the "final gateway" on the same subnet as the destination server. As before, this is determined by the various routing protocol(s) along the way from the first gateway to the last one. (This explanation is similar to the "then a miracle occurs" in the middle of a math proof).

The final gateway sends out an ARP packet to determine the MAC address of the destination server. It is typically cached for a few minutes up to an hour.

The final gateway then sends the packet out to the MAC address above over the selected interface based on the routing protocol it is running.

The destination server receives the
packet and examines the packet to see if the destination IP
address is one it provides. If it does, then all is well. If it does not, then the
packet is dropped.

There are several address transformations that transform from one conceptual address space into another lower level address space. These are:

Translation from "conceptual knowledge" of the server to the DNS name of the server.

Translation from the DNS server name to the destination IPv4 address

Translation of the destination IPv4 address to the destination gateway using routing information.

Translation from the destination IPv4 address to the destination MAC address.

Translation from MAC address to destination switch port.

Each of these transformations is a place where a redirection can occur.

The conceptual knowledge layer can be redirected by telling all clients to switch to a new server name.

The DNS layer can be redirected by updating DNS entries.

The network routing layer can be redirected by updating routing information in the network and pushing out the new route information.

The IPv4->MAC layer can be redirected by updating the ARP information and forcing the various ARP caches to be updated.

The MAC->switch port can be redirected by updating MAC addresses and forcing the switch network to learn the new MAC->switch correspondence.

Subsequent sections present detailed explanations of how to perform these various kinds of redirections.

Conceptual Knowledge Layer

There is no universal automated to update the conceptual knowledge layer - nevertheless, server relocations are sometimes handled at this layer. One can use automated client update tools to update client configuration files, one can use word-of-mouth, email, or any number of ad hoc tools. This is the least commonly used method for redirection on failure. Arguably, since it is hard to automate, it doesn't have much place on a blog on managing with automation.

DNS layer

Updating the DNS layer can be easily automated. The advantages are - it's universal, and little or no prior preparation has to occur, and no server/network political boundaries have to be dealt with, and the two servers don't have to be on the same subnet. The disadvantages are - not all clients use DNS addresses, Client OS DNS caching can interfere, Client software itself can interfere by caching the address outside DNS. Even with Dynamic DNS, it can take minutes to hours for changes to propagate and the new server address become known (and usable) to all clients. If the client application caches the address itself, then client applications have to be restarted. This last subcase can be difficult to automate.

Network routing layer

If a server fails, routing can be used to redirect the traffic for the failed server to another server on a different physical access segment. The advantages of this are - the two servers don't have to be on the same network segment, routing protocols are designed to deal with this kind of situation. The disadvantages include - if the IP address is public, then you have to move over at least 256 addresses at a time, there are often political boundaries making it hard for servers to automatically update network routing information, the additional routes for handling a large number of such movable addresses may slow down the routers involved.

ARP layer

When a server fails, another server can bring up the IP address of the dead service, update the ARP cache (typically using gratuitous ARPs - sometimes called ARP spoofing) and packets destined for the now-dead server go to the live one. The advantages include: IP address takeover can occur in less than a second, there is well-tested software for doing this, most organizations have a good method for allocating and managing additional IP addresses. The disadvantages include: The two servers have to be on the same network segment, some organizations lock down their network gear to make this "impossible" (which it doesn't - it just slows it down), and it typically increases the number of IP addresses needed by the servers and services.

MAC->switch port layer

MAC address takeover is a technique where a given network card is given multiple MAC addresses - one for an administrative address, and one for each group of independently-failable services. Retraining the switches to understand which switch port services the given MAC address is accomplished by simply sending any IPv4 packet with the new MAC address. The advantages include: Takeover can be very fast and quite reliable. The disadvantages include: the two servers have to be on the same network segment, some
organizations lock down their network gear to make this "impossible"
(which it doesn't - it just slows it down), and it typically increases
the number of MAC addresses needed by the servers and services, organizations almost never have methods for allocating and managing MAC addresses like they do IP addresses.

Which Method is "Best"?

I have heard it said that when you ask an engineer a question the answer is always the same regardless of the question - "It Depends". So it is here...

For servers on the same VLAN (or network segment) - IP address takeover (IP address spoofing) is the most common.

For servers on different VLANs or network segments:

Network route updating - if politically and technically feasible

DNS updating

Updating the conceptual knowledge layer

Note that there are some circumstances in which there is no easy answer. You may have to change your network configuration, solve political problems, buy an external netblock, or execute various other combinations of uncomfortable or difficult steps.